SlideShare une entreprise Scribd logo

Virtual Machine Introspection with Xen

Tamas K Lengyel
Tamas K Lengyel

Xen developer summit 2015 slides

Logiciels
1  sur  26
Télécharger pour lire hors ligne
Virtual Machine Introspection with Xen Tamas K Lengyel tamas@tklengyel.com
Virtual Machine Introspection ● Isolation ● Interpretation ● Interposition
Isolation ● From in-guest kernel/userspace • Provided by Xen • Buggy emulation blurres the line ● From trusted computing base (TCB) • Possible via Xen Security Modules • Move introspection system out from dom0!
Xen Security Modules (XSM) ● Usable since Xen 4.3 and Linux 3.8 ● Disaggregate the TCB ● Available on both x86 and ARM ● Not enabled by default
Interpretation ● Reconstruct kernel/process state ● Use memory forensic techniques ● LibVMI – http://libvmi.com 00 00 00 00 9c 95 ba e0 7c b7 37 c1 6c 6f 6f 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ae 27 de c0 4a 80 df e4 95 ba e0 cc 4a 80 df c0 4a 80 df 6c b0 37 c1 40 35 8e df 03 00 00 00 07 00 00 00 5c c1 c3 e0 00 00 00 00 00 00 00 00 00 70 2a de 00 00 00 00 00 00 00 00 80 7f 33 de 50 c0 c3 e0 60 c0 c3 e0 02 00 00 00 68 c0 c3 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 c3 e0 00 00 00 00 00 a0 c3 e0 00 00 00 00 a5 26 00 00 00 00 00 00 3d 1e 00 00 00 00 00 00 02 00 00 00 90 96 ba e0 c8 8f 38 c1 d4 bf c3 e0 c8 c2 c3 e0 c8 c2 c3 e0 20 00 00 00 20 00 00 00 c8 c4 c3 e0 c8 c4 c3 e0 00 1c ba df 00 7f 33 de 00 00 00 00 58 ae 27 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 c2 c3 e0 a0 c2 c3 e0 30 84 99 de b8 bd c3 e0 a8 79 3f fe 00 00 00 00 00 00 00 00 struct module state list name mkobj modinfo_attrs version src_version holders_dir syms crcs num_syms ... ctors num_ctors module_state = MODULE_STATE_LIVE struct list_head next prev unsigned int = 0 void (*)() = NULL char[60] = "loop" struct module_kobject kobj mod drivers_dir mp
Interposition ● Trap to Xen when something of interest happens within the guest • Enable optional hardware traps • CLTS, HLT, LGDT, LIDT, LLDT, LTR, SGDT, MOV from CR3, MOV from CR8, MOV to CR0, MOV to CR3, MOV to CR4, MOV to CR8, MOV DR, MWAIT, INT3, INT0, MTF, etc.. • See full list in Intel SDM 3c 25.1.3
Interposition ● Change access permissions in EPT ● Trap violation into Xen ● R/W/X ● With some caveats
EPT caveats “An EPT violation that occurs during as a result of execution of a read-modify-write operation sets bit 1 (data write). Whether it also sets bit 0 (data read) is implementation- specific and, for a given implementation, may differ for different kinds of read-modify- write operations.” - Intel SDM 3c
EPT caveats ● “Why can't the hardware report the true characteristics right away?” - Jan Beulich ● “when spec says so, there is a reason but I can't tell here. :-)” - Kevin Tian ● Well.. let's just mark all write volation as read violation too.. ● Patched in Xen 4.5
EPT caveats ● Requires relaxing the EPT permissions ● Requires singlestepping the vCPU ● Many VMEXITs not shown in picture! ● Fixed for Xen 4.6
EPT caveats ● Race-condition if VM has multiple vCPU ● No solution for this problem prior to Xen 4.6 ● New method introduced in Xen 4.6 that solves this: altp2m
altp2m ● Add support for multiple EPTs for second stage lookup! ● One table for “restricted view” ● One table for “normal view”
altp2m ● EPT pointer can be swapped in the VMCS ● No need to change EPT PTE permissions all the time ● No race condition
Interposition ● Once trapped to Xen, forward events • Formerly known as mem_event • Renamed and reworked as vm_event in 4.6 ● Request/response via shared memory ring • Monitor page used for VMI related events • Two additional pages: memory sharing and paging
vm_event & mem_access & monitor ● Let's keep track of subsystem names ● vm_event is the underlying request/response mechanism ● mem_access memops control EPT ● monitor_op domctls control all other optional VM execution traps
Event delivery structures in 4.6 ● Defined in xen/vm_event.h public header ● Easily extendable and versioned ● No more hackery ● Event response can trigger specific behavior without additional hypercalls • Trigger emulation, singlestepping, swap altp2m...
VMI with Xen on ARM ● ARM has two-stage paging similar to EPT ● mem_access implemented for 4.6 ● Some caveats: • No singlestepping? • Can be worked around but it's a pain • Split-TLB ambiguities
ARM mem_access ● ARM PTEs have fewer software programmable bits as compared to EPT ● ARM mem_access requires maintaining a Radix-tree to keep track of PTEs with custom permissions ● Radix-tree keyed with GPA
ARM mem_access ● For a 2nd stage violation ARM provides the faulting GVA ● GPA only provided if fault happened during 1st stage pagetable walk ● Xen needs to translate GVA to GPA to perform Radix-tree lookup
ARM mem_access ● Native CPU instructions to perform GVA to GPA translation ● Performs lookup as data-fetch access ● What if we trapped an instruction-fetch access? • In-guest translation hits iTLB • Xen hits dTLB
● Split-TLB is a real rootkit problem • ShadowWalker, MoRE, etc.. ● Guest can load the iTLB with rootkit page and dTLB with benign page ● Flushing the TLB does not help, iTLB translation may be lost if PT no longer represents the cached translation ARM Split-TLB problem
● Execution tracing with mem_access may be problematic ● Use Secure Monitor Call (SMC) instruction injection! ● Similar to 0xCC injection on x86 ● TODO ARM future work
● altp2m is primarily designed to be used with Intel #VE ● VMCALL instruction to perform EPTP switching from the guest ● Hybrid VMI ● KVM events x86 future work
● Why aren't we using git pulls? • Patches in mailinglist without branch-off point specified • Carving patches from mbox is a pain • Start providing a public git branch for your series!! Lessons learnt
● Provide build-testing for the community • It's a waste of time to wait for review on something that's broken • Check for style issues automatically? • Travis-CI is OK but can time-out on large series • https://github.com/tklengyel/xen/tree/travis Lessons learnt
Thanks! Tamas K Lengyel tamas@tklengyel.com tlengyel@novetta.com @tklengyel LibVMI http://libvmi.com DRAKVUF http://drakvuf.com

Recommandé

CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
Tamas K Lengyel
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardware
Tamas K Lengyel
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
Tamas K Lengyel
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Tamas K Lengyel
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 

Recommandé

CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
Tamas K Lengyel
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardware
Tamas K Lengyel
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
Tamas K Lengyel
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Tamas K Lengyel
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
Tamas K Lengyel
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
Tamas K Lengyel
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
Tamas K Lengyel
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
Tamas K Lengyel
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
Positive Hack Days
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
Tamas K Lengyel
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Tamas K Lengyel
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
zeroSteiner
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
Kernel TLV
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
zeroSteiner
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
Kernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkKernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver framework
Anne Nicolas
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat Security Conference
 

Contenu connexe

Tendances

Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
Positive Hack Days
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Kernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkKernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver framework
Anne Nicolas
 

Tendances (20)

VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Kernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkKernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver framework
 

Similaire à Virtual Machine Introspection with Xen

SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat Security Conference
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overview
Linaro
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
Buiding a better Userspace - The current and future state of QEMU and KVM int...
Buiding a better Userspace - The current and future state of QEMU and KVM int...Buiding a better Userspace - The current and future state of QEMU and KVM int...
Buiding a better Userspace - The current and future state of QEMU and KVM int...
aliguori
 
Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)
Dario Faggioli
 

Similaire à Virtual Machine Introspection with Xen (20)

SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Java Memory Model
Java Memory ModelJava Memory Model
Java Memory Model
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Advanced Root Cause Analysis
Advanced Root Cause AnalysisAdvanced Root Cause Analysis
Advanced Root Cause Analysis
 
Analisis_avanzado_vmware
Analisis_avanzado_vmwareAnalisis_avanzado_vmware
Analisis_avanzado_vmware
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overview
 
Troubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTroubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contention
 
20150918 klug el performance tuning-v1.4
20150918 klug el performance tuning-v1.420150918 klug el performance tuning-v1.4
20150918 klug el performance tuning-v1.4
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC session
 
VXCON 2017
VXCON 2017VXCON 2017
VXCON 2017
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
 
Armboot process zeelogic
Armboot process zeelogicArmboot process zeelogic
Armboot process zeelogic
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
 
Buiding a better Userspace - The current and future state of QEMU and KVM int...
Buiding a better Userspace - The current and future state of QEMU and KVM int...Buiding a better Userspace - The current and future state of QEMU and KVM int...
Buiding a better Userspace - The current and future state of QEMU and KVM int...
 
Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)
 
Spectre and meltdown
Spectre and meltdownSpectre and meltdown
Spectre and meltdown
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 

Plus de Tamas K Lengyel

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 

Plus de Tamas K Lengyel (6)

Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
 
Anti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and Xen
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 

Dernier

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
VictorSzoltysek
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 

Dernier (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 

Virtual Machine Introspection with Xen

  • 1. Virtual Machine Introspection with Xen Tamas K Lengyel tamas@tklengyel.com
  • 2. Virtual Machine Introspection ● Isolation ● Interpretation ● Interposition
  • 3. Isolation ● From in-guest kernel/userspace • Provided by Xen • Buggy emulation blurres the line ● From trusted computing base (TCB) • Possible via Xen Security Modules • Move introspection system out from dom0!
  • 4. Xen Security Modules (XSM) ● Usable since Xen 4.3 and Linux 3.8 ● Disaggregate the TCB ● Available on both x86 and ARM ● Not enabled by default
  • 5. Interpretation ● Reconstruct kernel/process state ● Use memory forensic techniques ● LibVMI – http://libvmi.com 00 00 00 00 9c 95 ba e0 7c b7 37 c1 6c 6f 6f 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ae 27 de c0 4a 80 df e4 95 ba e0 cc 4a 80 df c0 4a 80 df 6c b0 37 c1 40 35 8e df 03 00 00 00 07 00 00 00 5c c1 c3 e0 00 00 00 00 00 00 00 00 00 70 2a de 00 00 00 00 00 00 00 00 80 7f 33 de 50 c0 c3 e0 60 c0 c3 e0 02 00 00 00 68 c0 c3 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 c3 e0 00 00 00 00 00 a0 c3 e0 00 00 00 00 a5 26 00 00 00 00 00 00 3d 1e 00 00 00 00 00 00 02 00 00 00 90 96 ba e0 c8 8f 38 c1 d4 bf c3 e0 c8 c2 c3 e0 c8 c2 c3 e0 20 00 00 00 20 00 00 00 c8 c4 c3 e0 c8 c4 c3 e0 00 1c ba df 00 7f 33 de 00 00 00 00 58 ae 27 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 c2 c3 e0 a0 c2 c3 e0 30 84 99 de b8 bd c3 e0 a8 79 3f fe 00 00 00 00 00 00 00 00 struct module state list name mkobj modinfo_attrs version src_version holders_dir syms crcs num_syms ... ctors num_ctors module_state = MODULE_STATE_LIVE struct list_head next prev unsigned int = 0 void (*)() = NULL char[60] = "loop" struct module_kobject kobj mod drivers_dir mp
  • 6. Interposition ● Trap to Xen when something of interest happens within the guest • Enable optional hardware traps • CLTS, HLT, LGDT, LIDT, LLDT, LTR, SGDT, MOV from CR3, MOV from CR8, MOV to CR0, MOV to CR3, MOV to CR4, MOV to CR8, MOV DR, MWAIT, INT3, INT0, MTF, etc.. • See full list in Intel SDM 3c 25.1.3
  • 7. Interposition ● Change access permissions in EPT ● Trap violation into Xen ● R/W/X ● With some caveats
  • 8. EPT caveats “An EPT violation that occurs during as a result of execution of a read-modify-write operation sets bit 1 (data write). Whether it also sets bit 0 (data read) is implementation- specific and, for a given implementation, may differ for different kinds of read-modify- write operations.” - Intel SDM 3c
  • 9. EPT caveats ● “Why can't the hardware report the true characteristics right away?” - Jan Beulich ● “when spec says so, there is a reason but I can't tell here. :-)” - Kevin Tian ● Well.. let's just mark all write volation as read violation too.. ● Patched in Xen 4.5
  • 10. EPT caveats ● Requires relaxing the EPT permissions ● Requires singlestepping the vCPU ● Many VMEXITs not shown in picture! ● Fixed for Xen 4.6
  • 11. EPT caveats ● Race-condition if VM has multiple vCPU ● No solution for this problem prior to Xen 4.6 ● New method introduced in Xen 4.6 that solves this: altp2m
  • 12. altp2m ● Add support for multiple EPTs for second stage lookup! ● One table for “restricted view” ● One table for “normal view”
  • 13. altp2m ● EPT pointer can be swapped in the VMCS ● No need to change EPT PTE permissions all the time ● No race condition
  • 14. Interposition ● Once trapped to Xen, forward events • Formerly known as mem_event • Renamed and reworked as vm_event in 4.6 ● Request/response via shared memory ring • Monitor page used for VMI related events • Two additional pages: memory sharing and paging
  • 15. vm_event & mem_access & monitor ● Let's keep track of subsystem names ● vm_event is the underlying request/response mechanism ● mem_access memops control EPT ● monitor_op domctls control all other optional VM execution traps
  • 16. Event delivery structures in 4.6 ● Defined in xen/vm_event.h public header ● Easily extendable and versioned ● No more hackery ● Event response can trigger specific behavior without additional hypercalls • Trigger emulation, singlestepping, swap altp2m...
  • 17. VMI with Xen on ARM ● ARM has two-stage paging similar to EPT ● mem_access implemented for 4.6 ● Some caveats: • No singlestepping? • Can be worked around but it's a pain • Split-TLB ambiguities
  • 18. ARM mem_access ● ARM PTEs have fewer software programmable bits as compared to EPT ● ARM mem_access requires maintaining a Radix-tree to keep track of PTEs with custom permissions ● Radix-tree keyed with GPA
  • 19. ARM mem_access ● For a 2nd stage violation ARM provides the faulting GVA ● GPA only provided if fault happened during 1st stage pagetable walk ● Xen needs to translate GVA to GPA to perform Radix-tree lookup
  • 20. ARM mem_access ● Native CPU instructions to perform GVA to GPA translation ● Performs lookup as data-fetch access ● What if we trapped an instruction-fetch access? • In-guest translation hits iTLB • Xen hits dTLB
  • 21. ● Split-TLB is a real rootkit problem • ShadowWalker, MoRE, etc.. ● Guest can load the iTLB with rootkit page and dTLB with benign page ● Flushing the TLB does not help, iTLB translation may be lost if PT no longer represents the cached translation ARM Split-TLB problem
  • 22. ● Execution tracing with mem_access may be problematic ● Use Secure Monitor Call (SMC) instruction injection! ● Similar to 0xCC injection on x86 ● TODO ARM future work
  • 23. ● altp2m is primarily designed to be used with Intel #VE ● VMCALL instruction to perform EPTP switching from the guest ● Hybrid VMI ● KVM events x86 future work
  • 24. ● Why aren't we using git pulls? • Patches in mailinglist without branch-off point specified • Carving patches from mbox is a pain • Start providing a public git branch for your series!! Lessons learnt
  • 25. ● Provide build-testing for the community • It's a waste of time to wait for review on something that's broken • Check for style issues automatically? • Travis-CI is OK but can time-out on large series • https://github.com/tklengyel/xen/tree/travis Lessons learnt